js-xss VS DOMPurify

Encode output data before user-controllable data is written to a page to prevent it from being interpreted as HTML or JavaScript. You can use tools like xss for this purpose.

xss-shield is a powerful middleware package that helps you protect your express.js app from Cross-Site Scripting (XSS) attacks. It's built on top of the popular xss (https://www.npmjs.com/package/xss) package and includes additional features like strict typing

I personally always tend to use this one. It's lightweight, configurable and has Typescript support built in

Searching for XSS specifically actually comes up with a few - https://www.npmjs.com/package/xss looks solid. I was being to literal in my search! Should have tried bing.

There are a few libraries you can use to protect from xss. For instance the xss library on npm.

To solve this problem i use a package dompurify DOMpurify is used to prevent the XSS Attack. It remove all the dangerous tag from html and prevent XSS attack.

When working with Hypermedia, unlike other tools, we pay special attention to the security of incoming data from the server. Therefore, one of our solutions was integration with DOMPurify, which cleans incoming HTML of potentially dangerous markup.

https://github.com/w3c/trusted-types https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/trusted-types https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/meta/http-equiv https://github.com/cure53/DOMPurify

Pure functions, by their nature, reduce the attack surface. Because they don’t modify external state, they’re less susceptible to side-effect vulnerabilities like object pollution or prototype attacks. However, if a pure function processes user input, it’s still crucial to validate and sanitize that input to prevent XSS or other injection attacks. Libraries like DOMPurify (https://github.com/cure53/DOMPurify) can be used to sanitize HTML content, and schema validation libraries like zod (https://github.com/colyseus/zod) can be used to validate data structures. Always treat user input as untrusted.

ECMAScript features like Proxy can be exploited if not used carefully. Avoid creating proxies that intercept sensitive operations without proper validation. Prototype pollution attacks are a concern; sanitize user input and avoid modifying the Object.prototype. XSS vulnerabilities can arise from improperly handling user-provided data in dynamic contexts. Use DOMPurify (https://github.com/cure53/DOMPurify) to sanitize HTML before rendering it. Validation libraries like zod (https://github.com/colyseus/zod) can enforce data schemas and prevent unexpected input.

Let's take a look at how we implement sanitization in the secure version of our vulnerable application. Since this application is primarily written using JavaScript, we use the dompurify library for the client side and the isomorphic-dompurify library for server-side sanitization. In the app.js program that acts as our web server, you will find an express endpoint /sanitized with a GET and POST implementation:

After several hours of code review, I finally spotted something unfamiliar in the Markdown Renderer component: a function called escapeHTML was being used to escape HTML, even though DOMPurify was already being used for sanitization right after!

DOMPurify Documentation